Mandylion

r e s e a r c h l a b s

http://www.mandylionlabs.com/index15.htm USE TO ESTIMATE TIME FOR THE MORE DIFFICULT BRUTE FORCE ONLY (DICTIONARY LOOKUP ATTACKS WHICH ARE TRIED USUALLY FIRST TAKE SECONDS AND GET AN AVERAGE OF 25% of ALL PASSWORDS)

Click here to go to MandylionLabs Web Site Length Sorted by(see "how to use this calculator" tab): Upper Case Letters Lower Case Letters Numbers Special Characters or Purely Random Combo of Alpha/Numeric or PURELY Random Combo of Alpha/Numeric/Special PHRASE or WORD SUBJECT TO A DICTIONARY ATTACK password length in Characters 0
The only USER INPUT AREA -- insert password parameters here see tab: 'How to Use this Calculator" for further detail

Character Set Size 26 26 10 32 62 94 5

Entropy or Keyspace of password 1 1 1 1 1 1 1 1 or #N/A Reduce Keyspace Search by ./2 Law of Averages Total Workload in Floating 1 Point Processes

Average Assigned Workload/Computer Number of Keys a Desktop Computer Can Try efficiently in an Hour(=2*2^33) 17,179,869,184 17 billion tries in an hour (Very High Performance)

Estimated Gross Number of hours to Crack On Distributed Level: If Number of Machines Employed were: 10.00 50.00 100.00 250.00 500.00 1,000.00 10,000.00 100,000.00

0.00 hours
0.00 days 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 hours hours hours hours hours hours hours hours

(per distributed.net efficient workload for 1/2 hour is now(2202) 2^33 keyspace search(was 2^28)

0 0

http://www.mandylionlabs.com/index15.htm

The red area is the only area of user input -- The calculator is organized to give you -- the first way is by separately putting in the number of alpha / numeric / special chara on each of their separate lines (and seeing the total adds up to you total password len Click here to go to MandylionLab s Web Site

--the 2nd way just by putting in the total number of positions in the password on either "random combo" alpha/numeric/special character line if special characters are include attack line

The result of the two methods can vary widely -- for instance if I have a password com special character -- if they were entered separately ( and made sure the total for pass billion positions in the keyspace and about .43 of an hour or about 25 minutes to get t random combo field -- it would show in the "gazillions" and would take about 177k ho

Why the difference? -- simple -- the calculator tries to approximate what L0pht crack engineering -- i.e. a propensity to make even supposedly "strong" manually made up p giving the hacker an educated guess on the predictable pattern of just its composition in where to start the brute force attack -- the logic is -- the in brute force mode you are the keyspace in finding the answer, why not start that search in the most likely areas patterns, etc.

For instance, the cracking programs rely on the fact that a typical user will probably no the first position but will put nearly always put it somewhere near the end of the space amounts of cracking time with a cracking program that is written to contemplate this attack on a password that assumes a special character is in the first position, or a use password composition policy -- will almost always subconsciously mimic the wording o with it -- i.e. if policy says it must contain at least 8 characters -with at least one of eac lower, numeric, and special characters) represented -- users under that policy will the programs will improve their odds of cracking speed by doing these first) create a pass policy - i.e. an 8 character password that looks like this -- As1%1234 where they get t the way "up front" then a suffix with something easy to remember ---1234

In essence, these cracking programs go through a protocol of routines or hacking step greatest effort/least reward (i.e. purely random) hoping to get lucky and snag an answ keyspace.

The following is a good reference on how L0phtcrack uses logic such as this to take e should first start looking for a matching pattern. http://online.securityfocus.com/infocus/1319

ator is organized to give you two ways to enter a password's composition pha / numeric / special characters in the password-- if they are known -up to you total password length); and

ns in the password on either the "random combo" alpha/numeric line or the pecial characters are included- or the phrase or word subject to a dictionary

ce if I have a password comprised of 4 upper alphas and 3 numbers and 1 made sure the total for password length read 8) -- it would show about 14 or about 25 minutes to get that cracked if however, I just put 8 in the d would take about 177k hours to crack --

proximate what L0pht crack algorithms take advantage of --social "strong" manually made up passwords- easy to remember and thereby attern of just its composition -- which gives them a tremendous head start in brute force mode you are resolved to trying each and every position in rch in the most likely areas -- i.e. standard polices, repeating characters,

typical user will probably not start a password with a special character in e near the end of the space-- therefore you can shave enormous written to contemplate this - so that it will not start a brute force guessing in the first position, or a user working within an environment that has a sciously mimic the wording of the policy when they are trying to comply with at least one of each of the character sets (alpha upper, alpha sers under that policy will then most likely -(and hence the cracking ng these first) create a password that literally follows that order in the As1%1234 where they get their "minimum compliance with policy out of ---1234

ol of routines or hacking steps from greatest reward/least effort to finally get lucky and snag an answer before they have to go through the entire

s logic such as this to take educated guesses at where it the keyspace it

Mandylion
r e s e a r c h l a b s
Mean Time to Brute Force Attack a Key Space worksheet http://www.mandylionlabs.com/index15.htm Click here to go to MandylionLabs Web Site Definitions Plain Text A series printable keyboard characters (i.e. like a password) Password A series of printable keyboard characters used to uniquely identify a person or device as having authorization to access resources or data or space Cipher Text Plain text which has been encrypted by either encryption software or transparently via the browser, operating system or data communications utility. Also see encrypted stream. A series of 1 and 0's representing the transmission of Encrypted Stream encrypted plain text which cannot be decoded to arrive back at its plain text equivalent Hash or One Way Hash See Encrypted Stream The Encrypted Stream or Cipher text attempting to be Target Cipher Text decoded (cracked) via comparison with other know Encoding Plain Text The process of encoding plain text to cipher text Keyspace The total number of possible comparisons to an encrypted stream

Flops/Megaflops/Gigaflops Floating point operations/second -- a measure of a CPU's processing power doing complex calculations; Mega is million; Giga is billion; Rule of thumb, most desktop machines now can perform at several hundred megaflops/sec -- and the high end machines have just recently broken the gigaflop threshold. Can only be empirically calculated via benchmark tests which are performed on all major CPUs and results published Comparisons, Tries or Guesses A single attempt at Encoding Plain Text and Comparing the Result to a Target Cipher Text to see if they are equal-rule of thumb- a single attempt is approximately equal to single floating point processing Total Workload The calculated number tries necessary to break a given code (keyspace/2) Average Assigned Workload For distributed processing applications, the average portion of the total workload assigned to be solved by a particular CPU. Assigned workloads take into account average CPU size and capability, average CPU utilization, average time online and available for processing. Current rule of thumb is 2 to the 33 power for 1/2 hour of computing time per session at less than 10% utilization. Entropy See Keyspace Code Breaking Accepted Law of 50/50 Chance - i.e. a code has an equal chance of Averages being broken anywhere throughout the entire Keyspace (i.e. could be on first try or last but average is 1/2 way through all tries)

million billion trillion quadrillion qunitrillion sextillion septillion octillion nonillion decillion

1,000,000 1,000,000,000 1,000,000,000,000 1,000,000,000,000,000 1,000,000,000,000,000,000 1,000,000,000,000,000,000,000 1,000,000,000,000,000,000,000,000 1,000,000,000,000,000,000,000,000,000 1,000,000,000,000,000,000,000,000,000,000 1,000,000,000,000,000,000,000,000,000,000,000

1*10^6 1*10^9 1*10^12 1*10^15 1*10^18 1*10^21 1*10^24 1*10^27 1*10^30 1*10^33

6 9 12 15 18 21 24 27 30 33

Mandylion
r e s e a r c h l a b s
Mean Time to Brute Force Attack a Key Space worksheet http://www.mandylionlabs.com/index15.htm Click here to go to MandylionLabs Web Site

What Can the latest SuperComputer do?(as of Fall, 2004)

supercomputer(70 trillion per second) IBM's Blue Gene SuperComputer 9/04 see Top500.org

1,000,000,000,000 70 70,000,000,000,000.00 3600 252,000,000,000,000,000.00

1 trillion 70 trillion per second transactions or unique password searches per second seconds in an hour transactions or unique password searches per hour

What this calculator uses as the estimate of what the typical Pentium Computer can search in an hour

17,179,869,184.00 transactions or unique password searches per hour used in this calculator 14,700,000 the latest super computer has the ability to search 14.7 million times faster than the estimates of a hackers computing power used for cracking with today's cracking software

Factoids: 9 character purely random password the size of a purely random password that
(keyspace: 572 quadrillion combinations =572*10^15 to be searched) could be broken by the super computer in 1 hour

11 character purely random password the size of a purely random password that
(keyspace: 5 sextillion combinations =5*10^21 to be searched) could theoretically survive a super computer attack for 90 days